Wednesday, March 21, 2007

Xbox Live and Hackers

I think this is probably a bigger story than anyone understands yet.

From ZDNet:
Online gaming forums are buzzing with reports that Xbox Live accounts linked to Microsoft's Windows Live ID service are being hijacked by malicious hackers.

Kevin Finisterre, a security researcher at Digital Munition, raised the issue on the Full Disclosure mailing list over the weekend, calling attention to rumors that Microsoft's was the victim of a breach that exposed a portion of Xbox Live.

"Some folks are having their Microsoft points stolen and or points purchased via their stolen gamer tag," Finisterre said.

A quick search of user forums at and other gaming sites turned up multiple messages from Xbox Live users complaining about hijacked accounts, which typically link gamer tags to Windows Live ID (formerly .NET Passport).

Kotaku e-mailed Microsoft support asking for an official response, and here's what they got:

"Recently, there have been reports of fraudulent activity and account theft taking place on the Xbox LIVE network. Security is a top priority for Xbox LIVE, and we are actively investigating all reports of fraudulent behavior and theft. Any customer with a question about the security of their Xbox LIVE account should contact 1-800-4-MY-Xbox, and an Xbox Customer Service Representative will help them understand our security policies and procedures."

A Microsoft rep went on to tell me that while they are investigating the concerns, they have not found any security breach of or Xbox Live accounts.


Here's my guess: accounts have been compromised. Microsoft is going to continue to issue very soft denials until they can establish the number of accounts involved. At that point, they'll admit that this has happened.

This could quickly degenerate into a public relations disaster for Microsoft if it's handled badly.

Here's more information from Shacknews (thanks Jonin):
Digital Munition has now posted an audio log of one of Finisterre's many calls to Microsoft support, which seems to indicate that the representatives are aware of the issue but unable to take any meaningful action. Based on comments made by the support techs, the partial reason for this appears to be that some of Bungie's online community features are independent from Microsoft's broader Xbox Live systems, and Microsoft support cannot reverse account changes made by Bungie's system. Finisterre was assured that an account hacker would not have access to his credit card information, though that does not prevent somebody in control of an account from using the saved--but private--credit card information to buy any number of Microsoft Points before the account is banned.

Finisterre appears to have been targeted specifically. He recounts being told by his opponents during a game of Halo 2 that his account
would be stolen--and the next day he discovered that it had. Other Xbox Live users tell stories of their credit cards limits being maxed out by purchases of thousands of dollars' worth of Microsoft Points, and their home addresses and phone numbers being acquired and abused.

Again, I'm guessing there's too much smoke here for there not to be any fire, and the clock is ticking for Microsoft to establish the extent of what's happening.

Site Meter